At a recent gathering, IT security pros discussed how risk management can protect patients. Illena Armstrong reports.
About 24,000 Medicaid patients in Utah got word in early April they'd have to check their credit and bank statements for fraudulent activity much more diligently after hackers breached a Utah Department of Health (UDOH) server storing thousands of their records.Then, a couple of days later the news became much worse when the still-continuing investigation uncovered that Children's Health Insurance Plan (CHIP) recipients also were affected.
The tally of client records removed by cyber criminals from the server currently stands at 780,000. Of those, some 280,000 patients have seen their Social Security numbers compromised.Such breaches of health care data now are happening at an unprecedented frequency, according to many experts. Often, when they do occur greater volumes of critical data are impacted, as well.
Speaking at a recent SC Magazine Health Care Security Roundtable, Paul Contino, corporate chief technology officer (CTO) at New York City Health and Hospitals Corp. (HHC), said there were only a handful of major health care data breaches being reported some three years ago. These commonly involved the simple loss or theft of laptops or backup tapes. But, things have rapidly changed.“In truth, health care has become a much softer target to a lot of hackers for a lot of reasons,” he said during the roundtable, which was sponsored by HP Enterprise Security. “Today we're seeing an escalation in the number of those breaches both in quantity and magnitude. Also, we're starting to see other types of theft. [Some are] internal to the organizations. We're starting to see hacking attempts where [cyber criminals] are successfully breaking into systems. So the threat landscape is changing to where it's not just dumb mistakes [such as an unencrypted laptop getting left in a taxi or backup tapes falling off a delivery truck] anymore. There are more organized hacking attempts that are confronting health care now.”
“We're starting to see hacking attempts where cyber criminals are successfully breaking into systems. So the threat landscape is changing to where it's not just dumb mistakes anymore.”
– Paul Contino, corporate chief technology officer (CTO) at New York City Health and Hospitals Corp.
Statistical data bears this trend out. The Office of Civil Rights for the U.S. Department of Health and Human Services maintains a tally of breaches. Not only is the office tasked with enforcing the Health Insurance Portability and Accountability Act (HIPAA), it implements the additional data security provisions noted in the Health Information Technology for Economic and Clinical Health (HITECH) Act, which is part of the economic stimulus package known as the American Recovery and Reinvestment Act of 2009.Starting the breach incidence count with the inception of HITECH and its data breach notification requirement that first year, the civil rights office shows that a mere 50 incidents were reported from September to December 2009, which affected about 2.4 million individuals. Come 2010, the number of breaches jumped to 259 with 5.4 million individuals exposed. Last year, 147 incidents were reported, but those affected went well into the millions given that a few organizations alone saw huge exposures, including TRICARE at 4.9 million patients hit, Health Net at 1.9 million individuals affected and The Nemours Foundation at 1.2 million people compromised. This year, some 31 incidents already have been reported.
As the investigation is still underway, the UDOH breach hasn't made that list just yet. But, some information has been released. The Utah Department of Technology Services (DTS) initially thought 24,000 claims were affected by the attack. It turns out, however, that one of those files can contain claims on hundreds of individuals. And the kinds of information often found on these include Social Security numbers, addresses, tax ID numbers, doctors' names and more.